Alphabets

Image from Unsplash

It is a somewhat strange sensation when suddenly everyone is talking about something and you have no idea where it came from. My teammates came to the rescue: it was on Facebook, which is just a corner of the internet I never visit. You may have seen it, though: that message that warns about links that are not what they seem because they contain letters from a different alphabet. It was adopted by the popular newspaper USA Today and then things went fast.

Homoglyphs is the term for characters that look like letters. The best-known examples of homoglyphs in our own world are the 0 and the O: the first is a number, the second a letter. Always hard to tell the difference. And what about the l and the I? The first is the lowercase L, the second the uppercase i. Since we usually use sans-serifs in modern texts, you won't see the difference. If you choose a font with serifs, you will see this: “And what about the l and the I?” ( Courier New font).

The Cyrillic alphabet, used in Russia and its surroundings, also contains homoglyphs. In the example shown on Facebook, our a and its Cyrillic counterpart are mentioned. Incidentally, the letter, which is called the Cyrillic a in that message, is the Greek letter alpha (ɑ). Because the Cyrillic a looks like this: а.

All letters, numbers and other characters that you can type on your keyboard are defined in tables. The best-known table is ASCII, IBM mainframes speak EBCDIC and the most extensive is Unicode, because it defines the letters of all alphabets – not just the Latin alphabet we are familiar with. The Cyrillic letter at the end of the previous paragraph was created by typing the Unicode for that letter (0430) and then pressing Alt and X. With the help of the Unicode tables you can therefore make all characters, even if they do not appear on your keyboard. Like for example Њ and ß.

In the address bar of your browser you will not see the difference between amazon.nl and аmаzon.nI (the latter contains the Cyrillic a and a capital i). While you might think that this URL will take you to the Dutch website (.NL) of that company, it will take you to a website hosted in Nicaragua, as the top level domain (TLD) .ni belongs to that country. You see how easily criminals can lure you to their fake website, where they then steal your data or install malicious software on your device. Dutch domains, which fall under the TLD .NL, are relatively safe because no domains can be registered with characters from other than our own alphabet. But beware: the trick with the i and the L does work here.

Your browser can protect you from a homoglyph attack simply by not supporting them or by rejecting a mix of different alphabets. In addition, many domain registrars also ensure that no domains are registered that are no good. So you could say that all the attention to homoglyphs is a bit exaggerated – after all, effective measures have been taken.

In this context, I would also like to mention another form of trickery and deceit called typosquatting . In this trick, someone registers a domain name that looks like a real one, and then hopes people will make typos or get the name wrong and end up on their site. Think for example of googel.com, amazone.com or microsof.com. The holders of the official websites of these organizations can protect themselves against this by registering all domains that are similar to their own. If a smart guy manages to score a similar domain, the holder of the real domain can demand that the fake domain be cancelled.

My guess is that homoglyphs won't get you in trouble anytime soon. The chance that you type in a wrong web address that happened to be thought of by a typosquatter is somewhat higher. But I think the most remarkable thing about these techniques is that they exist at all. This shows once again that criminals can be particularly inventive and possess a great deal of knowledge.

 

And in the big bad world…

This section contains a selection of news articles I came across in the past week. Because the original version of this blog post is aimed at readers in the Netherlands, it contains some links to articles in Dutch. Where no language is indicated, the article is in English.

• you can of course also hack a satellite. [DUTCH]
• a lot of crypto currency has disappeared into the pockets of criminals. [You can ignore the advertisement in the article.]
• you can unlock many mobile devices with a photo of the owner. [DUTCH]
• there is a powerful lobby in Europe to make regulations on artificial intelligence not too strict.
• hacked ChatGPT accounts are traded eagerly.
• criminal service providers provide the 'crypting' of malware.
• There are several of flavors of two-factor authentication.
• America is committed to combating state actors. [DUTCH]
• your abandoned shopping cart provides an entry point for attackers. [DUTCH]
• even with pet feeders, it's a bad idea to hard code passwords. [DUTCH]
• Telegram is becoming increasingly popular with criminals. 

Awaremess

 

Image from Unsplash

If you master touch-typing, then you know that your fingers sometimes have a mind of their own. Fortunately, you usually realize that they have written something different than intended and then the backspace key is your best friend. Recently I had such a case where I couldn't suppress a grin: I didn't type 'awareness', but 'awaremess'. That small error led to this blog post.

In my profession, awareness means security awareness: the extent to which employees realize that they play an important role in information security, have the associated knowledge and act accordingly. But sometimes, things get a little messy.

So where did that grin on my face come from? The word awaremess does not exist, but you could interpret it as a mess that arises in the field of consciousness. And that's exactly where we are right now. For example, we do a lot to teach you how to recognize phishing mail. But at the same time, you are being bombarded with legitimate email that looks like it's phishing. And then it becomes a mess.

I give two examples. All civil servants have received (or are still receiving) mail from Shuttel, stating that they need to apply for a new card for public transport. That e-mail contained quite a few phishing indicators. The main red flags were the general salutation (“Dear Employee”), the warning that your old card would be revoked and – the most important – a link that, when you hovered over it, showed a very different destination than what was shown in the mail itself: not my.shuttelportal.nl/[etc], but something like fbdecbh.r.af.d.sendiobt2.com/tr / cl/[etc]. The funny thing is that employees also hit on something that is not a phishing indicator at all. The Shuttel company wanted some words in the e-mail shown in bold, but that went wrong in the first series of e-mails: it did not say look & feel, but —look & feel’. The codes, which were supposed to make the text bold, didn't work properly. But that has nothing to do with phishing. However, the other indicators were very phishy. The only thing that went well here is that the exchange was announced in advance on the intranet (but not everyone reads that). And what went well afterwards is that I quickly found someone in the responsible department who understood me and made sure that the Shuttel company was held accountable. Unfortunately that came too late for us, but things should be better at other ministries now.

The second example is closer to home, because it concerns a medium on which this blog is published: our intranet. That intranet was radically changed a while ago. And so there was an email with the subject: “Survey: What do you think of the personalized intranet?” That e-mail comes from an external address, but it does show the name of our organization as the sender: red flag! The general salutation (“Dear reader!”) and the chance to win an “exclusive personalized gift with your avatar on it”, along with time pressure (“We are giving away 15, so be on time”), only made it but worse. And finally, the e-mail was signed impersonally (“Team Online Editors”) and the survey was not announced on the intranet (!). The first email from a concerned colleague has already arrived, and more will follow. Rightly so. Now last week we had a nice meeting with the bloggers and the intranet editors, and then we were told that there would be a survey. So by chance I know that this e-mail is real and I have informed the editors about the phishy nature of their e-mail.

Things can also go wrong the other way. Employees received an email from a foreign address, without subject and text; it only contained a vague link. You would think: this can't be right, wouldn’t you? Despite this, fifteen colleagues clicked on that link. Our security systems blocked it, so we know who clicked. I have spoken to some of these colleagues. They told me stories that make me understand how someone could be “stupid enough” to click. Most poignant was the case of a manager of a colleague who had recently died – and this colleague's surname matched the sender's name. The manager therefore thought that the family was seeking contact. In another case, the mail also contained the addresses of someone's brother (with whom he has long lost contact) and of another acquaintance. It is likely that hackers captured address books and made good use of them when compiling the mail. So it's way too easy to say, how could one be that stupid. Their actions were not stupid, but humane. It saddens me that criminals undermine that humanity.

And so it is quite a mess in terms of security awareness. My typo wasn't that bad after all.

 

And in the big bad world…

This section contains a selection of news articles I came across in the past week. Because the original version of this blog post is aimed at readers in the Netherlands, it contains some links to articles in Dutch. Where no language is indicated, the article is in English.

• a test phish about salary increases is a distasteful idea.
• you also have to cover your power-led now.
• an official falsified reports about the security of the Dutch government’s identity management platform. [DUTCH]
• financial and ICT service providers must get started with DORA.
• an organization can suddenly be bombarded with a deluge of access requests. [DUTCH]
• the police are starting an international network to prevent and disrupt cybercrime. [DUTCH]
• Belgian judges and police officers are spied on. [DUTCH]
• a DDoS attack delayed the announcement of exam results. [DUTCH]
• mandatory periodic password changes are an outdated practice. [DUTCH]
• artificial intelligence is trained with private data, fake news and copyrighted stuff. [DUTCH]

 

Pippi Longstocking

 

Image from Pixabay

“Pippi Longstocking follows you and invites you to connect.” If you don't recognize this text, then you are one of the few readers who are not on LinkedIn, I think. If you are a member, then I have two questions for you: how do you respond to such invitations and how would you respond better?

For your convenience, the invitation mentions that you and Pippi have some mutual friends: Tommy and Annika. That should serve as a kind of reference. However, I don't trust that, especially since I once asked a colleague how he knew such a Tommy or Annika. “Who?” was his telling response. Many people blindly click the button to befriend the new contact.

LinkedIn, the Facebook for professionals, like all social networks, benefits from a growing number of members. They therefore make it extra tempting to click on 'yes': Pippi only asked if you wanted to be friends, LinkedIn added Tommy and Annika on their own initiative. But who is that Pippi anyway? You can already view her profile before accepting her friendship. If Pippi Longstocking, as we all know her, were on LinkedIn, her profile would look something like this. Job Title: Boss. Company: Villa Villekulla. Education: none. Knowledge: everything. Skills: being strong and rich. Number of connections: millions.

On LinkedIn I found three accounts under the name Pippi Longstocking. Those accounts have a lot in common: one or no followers, never posted a message, no photo and a very empty profile at all. One of them claims that she graduated from Harvard Business School in 2016 and is the founder of a candy factory in Kansas. Number two is the boss of a sportswear and accessories company in California and the third is a self-employed menu planner in England.

I have no idea what the point of these accounts is, but I do have an idea of what one can do with fake accounts. The platform has been reported as a highly prominent tool of phishing cybercriminals. LinkedIn explains it this way: “Fraudsters may use a practice called phishing to try to obtain your sensitive data such as usernames, passwords, and credit card information. These fraudsters impersonate legitimate companies or people, sending emails and links that attempt to direct you to false websites, or infect your computer with malware.” And they provide even more information and examples of LinkedIn-related phishing.

The three Pippi accounts I found are far too bare-bones to be used for phishing purposes. Real fake accounts usually contain an impressive profile, which makes them appear realistic. The photo shows a pretty young lady rather than an ugly guy. And often those photos are fake too: last year, researchers at the Stanford Internet Observatory discovered more than a thousand artificial intelligence-generated profile photos on LinkedIn. Sigh – now you not only have to recognize phishing mail, but you also have to learn to recognize AI photos. And that's not easy, especially with stamp-sized photos. In addition, fake accounts paint the image of a highly experienced professional in your field. Basically, you see someone you'd like to add to your stamp collection.

Incidentally, phishing is not the only thing you can do with this. Connecting via LinkedIn can also be used more broadly for social engineering – hacking the human – with the aim of getting someone to get information or do certain things. At first there may be just be some (professional) chitchat, and then gradually move on to topics that your employer might prefer you not to talk about.

Back to the questions at the beginning. Do you blindly accept connection requests? And if so, what do you think about it after reading this blog? I handle them this way: I always accept requests from colleagues (after checking whether they are really colleagues), and I only accept other people if I have met them in real life before. That's what it says in my profile. Not everyone reads that – I decline some connection requests every week. Very rarely will there be a criminal among them, but at least I keep them out this way, too. Does that mean I have fewer connections? Yes, but so what? And if you would like to read the Security (b)log on LinkedIn, you can simply follow me.

And so, dear intranet editor-in-chief, Pippi Longstocking made it into a work-related blog (-;

 

And in the big bad world…

This section contains a selection of news articles I came across in the past week. Because the original version of this blog post is aimed at readers in the Netherlands, it contains some links to articles in Dutch. Where no language is indicated, the article is in English.

• North Korean state hackers have been targeting academics and media in the US and South Korea.
• We've all been victims of a data breach at least once. [DUTCH]
• scammers advertise on US government websites.
• extortionists make nude photos of you with artificial intelligence.
• the British warn us about the risks of neurotechnology.
• the Dutch privacy regulator asks for clarification about ChatGPT. [DUTCH]
• it will take some time before the Dutch government meets all security standards. [DUTCH]
• Shell leaks data (who again said: data is the new oil?)

 

 

Metaverse

 

Image from Pixabay

We once referred to the internet with the term “the digital highway”. It was the time of 14k4 modems and - if you were lucky - ISDN lines, and compared to today you should have spoken of a digital service road. You regularly found yourself stuck in traffic or having a breakdown along the road. But now there is the metaverse: a virtual 3D world, a parallel universe, whether or not integrated into the real world, in which you can fully immerse yourself and interact with other people and companies.

This sounds very familiar to fans of the science fiction series Star Trek: as early as the late 1990s, Captain Jean-Luc Picard, number one Will Riker and the rest of the crew used the so-called holodeck for recreational and training purposes. There they trained in a safe environment for situations they would later encounter in the real world. However, the metaverse does not work with holograms and force fields, but with 3D glasses and augmented reality (Wikipedia: an interactive experience that combines the real world and computer-generated content).

Winn Schwartau was in the Netherlands a few weeks ago. He is an American security analyst and a thought leader in my field. He came to Utrecht to share his view on the metaverse, and that was certainly not a rosy picture. Just look at the following quote: “We are digitally terraforming the future cognitive infrastructure. We have ONE chance to get it right.” Terraforming is what you do on an alien planet to make that planet habitable - literally forming an Earth. Schwartau applies this mechanism to our future knowledge infrastructure and believes that we should be very careful what we do.

Why these concerns? Schwartau calls the metaverse the most powerful reality distortion machine ever. You choose your own reality, in which you can then be indoctrinated, radicalized and bombarded with advertisements. He emphatically warns of the danger of addiction. I've never been addicted to anything myself, but I can understand that alcohol, drugs, and the metaverse all provide ways to escape the reality where you may not be doing so well. Schwartau substantiates his view with data from neuroscience: our subconscious mind processes data many times faster than our conscious mind – two hundred million times faster. About 84% of that processing capacity is used for seeing, hearing accounts for 10% and then there is still a little left over for smelling, tasting and feeling. If you provide someone with 3D glasses and bombard their subconscious with all kinds of stimuli, while they feel they are doing something fun, you can strongly influence that person. And make them an addict.

And then suddenly the term metawar appeared on the screen. Wait a minute: the metaverse is still in its infancy, but a war is already raging? In the non-English speaking world, ‘war’ is exclusively understood as armed conflict between nations, but (especially in the US?) it also means struggle, of fight, as for example in the war on drugs. Schwartau distinguishes three classes in this struggle: personal, corporate/commercial and nation-state. The stage for the personal battle is the gaming and advertising world, where deceit lurks. In the commercial world we have to fear deep surveillance capitalism, indoctrination of employees and the end of privacy. And nation-state wise, we are threatened by religious extremism, political radicalism and brainwashing.

Disinformation plays a role in all three classes of metawar. To defend ourselves against this, Schwartau advocates three developments: ChatGPT detection (what is real and what has been made by artificial intelligence?), deepfake detection (is that picture, film or sound fragment real?) and teaching critical thinking. I wholeheartedly agree with the latter in particular: use your common sense, and remember that if something seems too good to be true, it usually is.

To end on a somewhat positive note, I don't think the metaverse is any worse than the 'regular' internet. After all, the old incarnation is also widely abused. But with Schwartau's story in mind, I do think that the bad guys in the metaverse have a lot more potential to do evil, because they have much more direct access to your brain - and especially your unconscious. I'd say enjoy it, but watch out crossing the road.

 

And in the big bad world…

This section contains a selection of news articles I came across in the past week. Because the original version of this blog post is aimed at readers in the Netherlands, it contains some links to articles in Dutch. Where no language is indicated, the article is in English.

• Twitter pulls out of an EU agreement against disinformation. [DUTCH]
• AI advises on the impact of AI. [DUTCH]
• iPhones can be infected with malware without user intervention. [DUTCH]
• the US may have used that iPhone vulnerability to spy on Russia.
• professional cybercriminals sign their malware digitally, because then they get through more easily.
• hackers are also sometimes hacked.
• US border guards can no longer search your phone at will.
• Tesla is as leaky as a sieve, and the Dutch Data Protection Authority has to investigate.
• an AI model called DarkBERT is based entirely on knowledge from the dark web.

 

Flying carpet

 

Image from Pixabay

On a drizzly Friday afternoon, one of those we've had so much of lately, the carpet ordered would be delivered. A showpiece for his new house, with a modern motif, no less than three by four meters in size. Just a little too big to take with you in the car, but luckily Ikea offered home delivery. And you don't have to count the screws this time, sir, and there is no Allen key either.

But in the course of that afternoon an email came in from “Post”. Subject: delivery issues. Content: “The product you ordered is still in our distribution center. You must first pay € 3.95 for customs duties. Click the button below to reschedule the delivery.” Payment had to be made by credit card. That was the point where our carpet enthusiast dropped out - if he could have paid with iDeal (a well-known payment system in the Netherlands), he would have done it, just to get rid of it quickly.

Now, however, he was going to call Ikea. There they told him that the message had not come from them and that the carpet would be delivered as scheduled. Exactly during that conversation, in which both sides quickly concluded that it must be phishing, another email arrived. This time it also mentioned an order number, which did not match the number of the carpet ordered.

The next day, both emails had miraculously disappeared. An unpleasant feeling came over our Ikea customer: had someone hacked his email account, seen the order and acted on it cleverly? Or was the retail chain perhaps hacked, or was there even a mole at the Swedish company who sold order data to cyber criminals? We'll probably never know - unless there are a ton of reports like that and the email provider or the store investigates and publishes the findings. But companies still tend to be quite introverted about such things.

I don't think any of these scenarios played out. Because that's how phishing works: you have ordered something and at exactly the right moment you receive a message that could very well apply to that order. Had you received that same message a few days earlier or later, you would have shrugged and ignored it. They use the shotgun approach, because it costs nothing anyway. And they always hit a few people for whom their message does have meaning entirely by chance.

What were the red flags, the signals that this could or should be phishing? To start with, the sender: not Ikea, not even PostNL (the Dutch postal service), but Post. I don't know a parcel delivery service by that name. Then Ikea was not mentioned in the entire post; usually the name of the sender is always mentioned in communication from a delivery service. And why customs duties? The carpet had been ordered in the Netherlands and there had never been any question that it would be sent directly from a carpet-making country. And then of course that order number, which had nothing to do with the rug. Plenty of red flags, I'd say.

After hearing this account, I started asking questions. First of all: have you already changed your email password? That is always the first thing you do if you have the slightest suspicion that someone has access to your mail. Your mail account is your most important account, because almost all “I forgot my password” procedures go through your mail. In other words: whoever has access to your mail can gain access to many other accounts. Next question: both emails have disappeared, but do you still have the web page in the browser? It wasn't there anymore, but it was still in the browser history: onlinecamp[.]top. The e.Veritas URL checker classifies this site as unsafe, and that “.top”, the so-called top-level domain (such as .com and .net) is special. In the internet administration, the target market is “general” and it is registered to Jiangsu Bangning Science & technology Co. Ltd., a Chinese domain registrar – a company where you can register your own internet domain. You can therefore reasonably assume that a link that ends with .top (possibly with “/abracadabra/xyz/etc”) will take you to a Chinese website. Ask yourself if you really want to go there.

So much effort to collect € 3.95? No. Payment had to be made by credit card. If you enter your details on their fake site, the criminals have your credit card details, which they can use to make a multiple of that amount disappear. Fortunately, that did not work out this time and the carpet looks nice.

 

And in the big bad world…

This section contains a selection of news articles I came across in the past week. Because the original version of this blog post is aimed at readers in the Netherlands, it contains some links to articles in Dutch. Where no language is indicated, the article is in English.

• phishing does not always contain a link or an attachment nowadays.
• a British supplier of tools for criminals goes behind bars for a long time.
• this legitimate app suddenly got a new function.
• a poorly tested update can wreck your device.
• Chinese state hackers hack Kenya, presumably in relation to debt.
• you can’t share your Netflix password anymore.
• a British IT worker hijacked a ransomware attack on his employer.
• US authorities have published an update to their StopRansomware Guide.
• Facebook’s parent company Meta has to pay a huge fine for sending data from European users to the US. [DUTCH]
• Fingerprints can also be brute-forced.
• ransomware for charity is a new thing.
• Spain wants to ban the provision of end-to-end encryption in Europe. [DUTCH]

 

Misjudged

 

On October 22, 1895, the train you see in the photo left Granville on the Normandy coast at a quarter to nine in the morning with destination Paris. As the crow flies, that is about three hundred kilometers (186 miles), which takes a modern train three and a half hours. At the time, the journey took an entire day.

At 3:55 p.m., the train rumbled into Paris, but it was several minutes late. The very experienced driver, Guillaume-Marie Pellerin , thought that he could partly make up for this delay by braking only at the last moment. But this time, the brakes failed and the train crashed through the buffer and glass facade of Paris-Montparnasse station, where it came to a stop, as the photo shows, in an unreal position. There was one fatality to regret. Marie Augustine Aguillard wasn't even a passenger on this train – no, she was minding her husband's kiosk at the Place de Rennes for a while; he had gone to get the evening papers. She was killed by falling debris.

The American George Westinghouse had invented a brake based on compressed air some twenty-five years earlier. The brake engages when the air lines are deflated and will not release until a compressor has repressurized the lines. Because each carriage has its own brake, the entire train is braked. That system seems inherently safe: if something breaks, the pressure drops and the brakes kick in. However, on this train the Westinghouse brake failed anyway, and the brakes of the locomotive alone could not stop the train in time.

Engineer Pellerin took a risk. Has he thought carefully about what could go wrong and what the consequences could be – precisely at this location, a terminus? His train's inherently safe brakes gave Pellerin enough confidence to brake a little later than usual. If he had looked just a little further, he might have thought that if the brakes failed, it could have disastrous consequences in this very spot.

Risk is often expressed with the simple formula Risk = Likelihood x Severity. We often do not calculate with numbers, but with estimates: small, medium, large – both left and right possibly flanked by 'very'. The formula shows that an event, which is unlikely to occur (Westinghouse brake failure), can nevertheless lead to a high risk, because the expected consequences are very serious (deaths and injuries). The limits of the risks you want to take are determined by your risk appetite. Adventurous people have a greater risk appetite than cautious people, and manufacturers of hip technology products take greater risks than a government organization, just to name a few extremes.

You yourself also perform risk analyses every day, for example when you cross the road. You make an assessment of whether you will make it before that car reaches you, and you mainly look at the distance and speed of the car, and how well you are on your feet. But do you also consider the possibility of tripping? Do you still have enough time to get away, or does the driver have sufficient reaction time and is his braking distance long enough? We usually don't think about such a scenario, probably because it usually goes well. And that was precisely Pellerin's problem. It cost him a fine of fifty francs and two months of suspended prison.

Do me a favor and take care crossing the street when you go out later.

There will be no Security (b)log next week.

 

And in the big bad world…

This section contains a selection of news articles I came across in the past week. Because the original version of this blog post is aimed at readers in the Netherlands, it contains some links to articles in Dutch. Where no language is indicated, the article is in English.

• the FBI hacked Russian state hackers.
• this security company is very open about an attack on their systems.
• the British plead for more transparency in cyber attacks.
• Rian van Rijbroek's husband seems to be quite confused himself.  [DUTCH]
• you should watch out for fake windows updates. 
• you should also watch out for malicious QR codes.
• the emergence of AI and the possibility of cloning on the fly may lead to additional legal protection for individuals.  [DUTCH]
• YouTube is experimenting with banning ad blockers.
• many Dutch people can protect themselves better than they do now.  [DUTCH]
• phishing is the main form of cybercrime that citizens have to deal with.  [DUTCH]

Half a payment

 

Image from author

A beautiful ring with the well-known Greek blue eye and a bracelet. That was my daughter's loot in that nice little shop in Neos Marmaras. When paying with her card, the shop lady noticed that the payment had not been successful. Well then, good old cash to the rescue. A little later, the transaction was actually visible in the bank's app. That was the beginning of a curious series of events.

We were still in that village and of course we went back to the store. The shopkeeper was visibly shocked and immediately went to check both her PoS terminals. Look, she said, nothing. I saw some Greek letters on the displays, which could mean anything, but her words and facial expressions were convincing. Moreover, as we only noticed then, the ING app stated 'reservation' with the amount. We came to the conclusion that it would be fine.

A day later, the transaction was still in the app, but now without 'reservation' added to it – the money was now really gone. Oh dear. What now? I called the bank and explained the situation. The gentleman who spoke to me could see what had happened, but he couldn't help me. I would have to go back to the store and explain it there and ask for my cash. Well yes, I protested, that shop is not in our village, I would have to drive all the way there again. Then maybe call them? The telephone costs could be higher than the amount in question. Anyway, the ING gentleman couldn't do anything for me.

Wait a minute, I said; a bank transaction must either succeed or fail, but not something in between. Isn’t it unthinkable that a PoS says that the payment has failed, and that the payment is then made anyway? No, he agreed with me. But he still couldn't do anything for me. I mentioned that I wanted to make a complaint about this and asked him what would happen next. He could only write down the complaint and pass it on, otherwise it was out of his sight.

What to do? We are talking about an amount of just over two tenners – money from my teenage daughter, so a relatively large amount. That shop was about a twenty-minute drive from our stay, which was doable. And so we went there again that evening. Fortunately, the same lady was in the shop and she asked what was wrong right away. She called in her boss (from the store across the street), who let me take pictures of the PoS's printouts, which showed that no transaction had taken place for that amount. She even let me take photos of her banking app, which also showed no sign of my daughter’s payment. The attitude and helpfulness of this lady convinced me that she was in good faith.

That was Friday night. On Monday she would immediately call her bank to inquire, and then she would contact me by email. But on Saturday morning, when we were already on our way home, we noticed a strange entry in my daughter's account: 'PoS reversal payment'. The money was back! But how? Did an automated process take place here, whereby the Greek bank and our ING together established that there was 'half' a transaction? Or did someone from our bank get to work in response to my complaint? I can hardly imagine the latter, especially because of the timeframe (weekend). But I have not (yet?) received any feedback on my complaint.

In information security we talk a lot about the aspect of integrity. In our context, this concerns the correctness and completeness of data and processes. Nothing may change unjustly and everything must be complete. In the above story, that integrity was violated: money had disappeared from my daughter's bank account and that money had not arrived anywhere. Such a transaction should be binary: right or wrong. It can't be half. I hope someone from the bank will explain to me how this could have happened. Or maybe someone from the banking industry in my network (are you reading along, Oscar?).

The blue eye, which is on the purchased jewelry, is a symbol in Greece to avert disaster. That eventually worked. Not that I'm superstitious, though.

 

And in the big bad world…

This section contains a selection of news articles I came across in the past week. Because the original version of this blog post is aimed at readers in the Netherlands, it contains some links to articles in Dutch. Where no language is indicated, the article is in English.

• many victims of ransomware are attacked again.
• malware masquerades as ChatGPT.
• not only the cloud, but also AI is just someone else's computer.
• you can now log in to Google more easily and more securely.
• you will receive security patches for your Apple equipment faster from now on.
• T-Mobile in the US recorded the second data breach of this year.
• earphones can also have a security vulnerability. [DUTCH]
• the Dutch police will remain active on TikTok, but on dedicated equipment. [DUTCH]
• In the fight against phishing/smishing, the Dutch Tax Administration now sends text messages to entrepreneurs themselves (without a link, of course). [DUTCH]